Welcome to the continuation of the Into the Breach: Protect Your Business by Managing People, Information and Risk audio series. (Click this link) to learn more about this how this book solves today’s challenges and pick up a complete copy.

This series, underwritten by Configuresoft, now part of EMC, is the full and unabridged audio version of Into the Breach, written by Michael Santarcangelo and read by the author. Join us for a new chapter released on the first Tuesday of each month (there are 13 chapters total).

What you’ll find in episode 6, Into the Breach: Chapter 5 (The Strategy to Protect Information)

Chapter 5 is the introduction to Part II of Into the Breach — where the focus shifts to looking at what needs to be done. I outline a powerful, yet simple, approach dubbed “The Strategy to Protect Information.”

Key is the focus on information, not data, and the three steps that any organization must follow in order to be effective. The balance of Part II explains how – but just learning and understanding the three part strategy is transformative.

After listening to this chapter, you will know the strategy and be able to apply it to your current challenge — small and tactical or larger and organizational.

Put the power of Into the Breach to work for you…

After listening to this segment of Into the Breach, keep the energy going and support the shift in thinking and inspire behavior change by

1. Engage with Michael on twitter (http://twitter.com/catalyst)
2. Subscribe to The Security Catalyst podcast & blog to get more insights; ask a question and get an answer!
3. Check out Awareness that Works™ – Michael Santarcangelo’s program to guide smart investment in people, with guaranteed results (this program pays for itself).

Welcome to the audio series of Into the Breach: Protect Your Business by Managing People, Information and Risk (click this link to learn more about this book). This series, underwritten by Configuresoft, now part of EMC, is the full and unabridged audio version of Into the Breach, written by Michael Santarcangelo and read by the author. Join us for a new chapter released on the last Tuesday of each month (there are 13 chapters total).

What you’ll find in this segment

The Introduction explores the nature of the challenge faced by organizations around the world. As we prepare for the journey “Into the Breach”, it is revealed that breaches are only symptoms, and the real challenge is described as a human paradox. Setting the stage for a shift in thinking necessary to get results, three common myths are exposed and addressed. A powerful strategy to protect information is shared, and the clarion call to engage, empower and enable people is sounded.

Put the power of Into the Breach to work for you…

After listening to this segment of Into the Breach, keep the energy going and support the shift in thinking and inspire behavior change by

1. Engage with Michael on twitter (http://twitter.com/catalyst)
2. Subscribe to The Security Catalyst podcast & blog to get more insights; ask a question and get an answer!
3. Check out Awareness that Works™ – Michael Santarcangelo’s program to guide smart investment in people, with guaranteed results (this program pays for itself).

One of the true benefits of sharing thoughts through spoken and written word is the ability to meet quality people. I thrive on conversation – especially discourse that leads to new understanding. I am a firm believer that through purposeful conversation, honest intentions and open minds we can solve a lot of challenges we face.

So when Martin McKeay and I were “chatting” online Tuesday night, he popped in with “Hey – no pressure, but do you want to cohost tonight?” It took about a minute to decide. He shared some links to stories to talk about and I took 30 minutes to read them and write down some ideas – and then boom – we recorded.

I really enjoyed the conversation and was really amped at the end. It took me a while to get ready for bed – my mind was still engaged. I hope you have a similar experience when listening!

Find the show notes here: http://netsecpodcast.com/?p=48

And the direct link to the program here: http://media.libsyn.com/media/mckeay/nsp-070108-ep110.mp3

(PS: I hope you still chose to listen to the programming on The Security Catalyst; however, somewhere in the feedchange, we seem to have confused iTunes. If it doesn’t look like we have new shows – you may want to unsubscribe and resubscribe.)

Welcome to the debut of the Pop Culture Security program – a monthly installment of the Security Catalyst Show. Please also welcome James Costello – the man with the idea for this program and my cohost on this effort. This program explores and explains how to use pop culture to communicate security concepts to those around you. We explain by doing, and respond to your challenges.

This podcast is based, to a large extent, on the work James did in preparing for and delivering a peer to peer session at the RSA conference this year. While sitting at Mel’s the morning of his presentation, we enjoyed a conversation about the topic that kept on going, and immediately decided the best way to extend the conversation and build on his efforts was to produce a monthly program.

For our first piece of Pop Culture to use as a reference point to better explain security, we selected Night at the Museum – a comedy with Ben Stiller that is currently (or was) running on Home Box Office (HBO). 

Movie at IMDB (including synopsis): http://www.imdb.com/title/tt0477347/

Movie Trailer: http://www.imdb.com/video/screenplay/vi2459500825/

This movie held many lessons for those responsible for security in addition to providing some excellent examples for us to anchor our points to. We will work to keep the program short, informative and useful – especially if you are interested in building a security awareness training program that works!

To participate in the monthly challenge:

• call  206-350-8346 and leave us a message with your challenge
• email popculturesecurity &at& securitycatalyst dot com

PS: I recently purchased a snowball microphone in an effort to streamline my audio programs and preserve quality. So far, I am disappointed with the quality of the unit – and feel that my sound is hollow and tinny; as such, I’ll be exploring how to restore the sound quality I appreciate in the coming days. The challenge is capturing sound in a way that works with Skype for many of this interviews, but is still portable. If you have experiences, ideas and suggestions for something functional, portable and reliable – shoot me a note. In the meantime, enjoy the programs. More to come next week, with an “Author Interview.”

It was disclosed last week that a vulnerability in the OpenSSL packages used by debian systems contained a flaw where random numbers were not actually random, paving the way for another attack vector.

Plenty of specific details and analysis can be found in different places, including:

http://wiki.debian.org/SSLkeys

http://www.us-cert.gov/cas/techalerts/TA08-137A.html

http://www.kb.cert.org/vuls/id/925211

http://secunia.com/advisories/30220/

For many, this signals the fire-drill of reaction and patching — just in time for a big holiday weekend (aka the “start of summer”) here in the United States.

Just days before this was announced, I was introduced to Venafi (as a direct result of my press pass at RSA). During the conversation, I realized they really own the niche of Systems Management for Encryption. As we shared a lively and informative conversation, I was reminded that SSL is not just something we stick on web servers; it goes deeper and wider in many enterprises today. As soon as you have to manage many of these encrypted connections, the process gains some complication – and is ripe for error. Step in Venafi.

When the debian vulnerability was announced, I immediately asked if Venafi would be willing to share some insights about how organizations should be handling this issue. This is bigger than patching (remember code red?) – and I wanted a discussion that provided insights into how to manage this in a way that brought immediate results but also good long-term gain.

During this program, Paul (from Venafi) and I start by exploring how to engage business users in the conversation. We progress to tactical and strategic ways to address this challenge while realizing this is an opportunity to make some improvements that bring better future results.

It comes from planning and following a process informed by experience – and we’ll share the insights with you in 30 minutes or less!

In the wrap-up, I suggest following the approach of plan-do-review, outlined in this podcast: http://www.securitycatalyst.com/blog/2008/01/31/the-security-catalyst-show-plan-do-review-your-way-to-success/

Tune in next week for the debut of the Pop Culture Security podcast – your monthly “how-to” for Security Awareness Training.

I am excited to introduce to you a new program that I host and produce for Cornell University called “Driving the Digital Revolution.”

Driving the Digital Revolution is a simple, but powerful, way to consider the changes taking place around us every day. The digital revolution has led cultures from poverty, literally changed the face of global business, local business and even impacted on the family structure. Without question, the digital revolution both counts on and plays an active role in shaping how people protect information.

Cornell takes its role in driving the digital revolution seriously. In both education and research, emphasis is placed not only on the field of study, but in how that subject is being transformed by advances in computing and information resources. It realizes that as ideas and technologies are advanced, we have an obligation to not only consider the consequences, but to study and anticipate the unintended consequences.

I am sharing this with you for two reasons:

(1) I am passionate about this series and the opportunity to work with other experts to dig deeper and uncover important concepts that are driving the digital revolution; their words have a lasting impact on me, and I believe they will on you, too.

(2) We are at a place in our industry when we need change. We need to grab on to a vision of hope and drive change. Studying how Cornell participates in driving the digital revolution is a blueprint for our success.

So sit back, plug in and consider the words — and passion — of Dean Constable and how they apply to what you do. Working together, we can change the way people protect information.

There are three ways to listen and subscribe (so you get every episode)
1. Each episode incorporates the ability to listen on the website! Simply point your browser to http://www.cis.cornell.edu/alumniblog/ and press play
2. You can download this episode directly: http://www.cis.cornell.edu/alumniblog/podcast/cornell-ddr-01.mp3
3. If you prefer to use and subscribe using RSS, here is the feed: http://www.cis.cornell.edu/alumniblog/feed/

Into the Breach is really taking shape – but I have been eager to get back behind the microphone and share the ideas and concepts I have been working on. You witnessed my transition to The Security Catalyst last year, and with it, my focus on changing the way people protect information.

In this podcast, I share a simple and powerful concept that can be applied to anything you do: PLAN – DO – REVIEW

I first learned about PLAN – DO – REVIEW a few years back when it was time to learn about nursery schools, and one of the schools followed the HIGH/SCOPE method. Curious, I went to explore and learn more. Since then, I have tested and adapted the approach for my own use – with excellent results.

Now I share my experience with you.

Here are three links if you would like to learn more:

http://www.highscope.org/

http://en.wikipedia.org/wiki/High/Scope

http://www.perpetualpreschool.com/highscope/highscope_info.htm

On this program, we share a conversation with Brian Chess, the author of Secure Programming with Static Analysis – a conversation that is a must listen for business leaders, security professionals and developers if you want to learn how to engage your teams to better protect information.

Brian takes an approach with secure programming that is similar to the approach I follow when assessing and implementing awareness and training programs. So whether you are a developer or not, you will change the way you protect information by listening to Brian!

What I took away from my conversation with Brian
After reflecting on our conversation (I explain more during the podcast), here are the top five points I took away:

1. Introspection is important when looking to protect information. To me, this also means we have to stop blaming and looking to assign blame. We can look within, take (and encourage) responsibility and find solutions.

2. Trust is paramount. We have to find ways to establish and maintain trust, offline and online.

3. We need to develop processes and tools to support our experts in a way that naturally engages them and encourages their participation in information protection.

4. New processes, new learning and new tools require an initial investment (time, money and resources) that may sometimes seem sizeable – but the savings are realized rapidly and bring long-term positive benefits.

5. In security, we need to stop griping and learn to be good coming from behind. It’s okay, and we can do it.

What did you take away from this conversation? Send me an email: securitycatalyst@gmail.com, or better yet – join us in the security catalyst community – www.securitycatalyst.org and share your insights with others.

Information and Links

Brian Chess, Ph.D., Founder & Chief Scientist
http://extra.fortifysoftware.com/blog/bloggers.html

Dr. Chess’s research focuses on methods for creating secure systems. He received his Ph.D. from the University of California at Santa Cruz, where he applied his background in integrated circuit test and verification to the problem of identifying security errors in software. In addition to authoring numerous patents and technical papers, Dr. Chess has more than ten years of experience in the commercial software arena, having led development efforts at Hewlett Packard and NetLedger.

Secure Programming with Static Analysis

http://www.amazon.com/Programming-Analysis-Addison-Wesley-Software-Security/dp/0321424778/ref=sr_1_1?ie=UTF8&s=books&qid=1196292147&sr=8-1

Blogging with Brian Chess

http://extra.fortifysoftware.com/blog/

Serving Your Needs
I thoroughly enjoy researching and producing these podcasts – and looking forward to getting back into a programming schedule with a bit more regularity. I’ve also been impressed with the Talk Shoe service, and considering hosting more podcasts through Talk Shoe so you can listen in live.

Let me know if you would listen live and participate if we made that an option, and who you would like to share a conversation with by sending me a note: securitycatalyst@gmail.comAs always, thanks for the gift you give me by listening. If you liked the program, tell a friend. If not, tell me!

This podcast explores how and why virtual teams fail, based on new research from a group of graduate students at Johns Hopkins Carey School of Business.

My belief is that in order to protect information, we have to support the individual – and make it easier for them to do their job. By learning more about how virtual teams fail, we can learn how to avoid mistakes and build stronger and more effective collaboration opportunities – where people can do their jobs while taking responsibility for protecting information. By absorbing this research, you may also learn how to work more effectively on your own virtual teams.

After our interview, I share the top five things that I learned about nurturing and protecting virtual teams. I invite you to sit back, listen, learn and contribute. I’m happy to keep the conversation going in the security catalyst community.

Background: Bring new knowledge to the field of work team behavior
A group of five graduate students (Robert Darling, Cari Endicott, Lisa Fratino, Matsuno Inoue, and Ellen Snydman) from the Carey Business School of Johns Hopkins University participating in a team building course under the leadership of Dr. Robert Pernick were charged with bringing new knowledge to the field of teaming.

This group elected to research the world of virtual teaming, and in doing so, found that here is a great body of literature on what makes virtual teams successful, but little written about what causes them to fail or become sub-optimized.  The team’s first research effort was to conduct structured interviews with a group of virtual teaming experts.

The experts interviews generally agreed that the success of virtual teams were threatened by:
•    Concerns regarding the ability to protect sensitive information
•    Lack of a single platform that provides all the tools necessary to optimize
•    The struggles of virtual communication
•    Poorly or under-trained users
•    The challenge of building trust  without the use of face-to-face communication

Overall, the experts agreed that all of these obstacles can be overcome and unless combined into the “perfect storm” are not likely to cause catastrophic failure. The experts felt very good about the work that is be done virtually and believe that the use of virtual teams will become even more prevalent into today’s global society.

The second phase of research involved the distribution of a short, online survey about virtual work.  The results of the survey are still be collected, but at this point there seems to be a great deal of overlap with the findings from the subject matter experts.  The podcast you are listening to will explore both elements of the research and will introduce yet another subject matter expert, Stu Snydman, the Manager of Digital Production at the Stanford University Libraries.

This podcast was created and hosted by Michael Santarcangelo and expertly engineered by Steve Witt. Thank, Steve!

I’m back, baby! I know I’ve been remiss in sharing some ideas and observations – but I’ve been really focused. As I continue to focus on changing how people protect information, I have come to appreciate the value of the fundamentals. I share some insights in this long overdue podcast.  Things you will learn by listening to this podcast:

• I am a yankees fan
• Three lessons I took away from watching professionals and legends
• How to have more fun at work

I also share some updates on the Information Protection Assessment Toolkit, make a special offer and update some of my travel plans.  It’s nice to be back. We have an SRT coming up, and I have a lot I hope to share… more to come…  If you enjoy this, let me know. If not, let me know how I can make your job easier and improve the quality of your podcast experience. 

You are invited to learn how to reduce the effectiveness of attacks and sleep better at night by using a non-administrative user account. In this brief podcast, we explain:
-    why you should be using a non-administrative user account
-    how to determine which type of account you are currently using
-    how to create normal user accounts
-    how to change to a regular user account

Thanks to a dedicated team of professionals, this podcast has been made better. If you see them on the street, give them a big hug. They worked hard (and continue to) to improve our efforts to make a difference:

• Gary Morgan, CISSP
• Alvin Liau, CISSP
• George Viconovic, MCIW/D
• James Costello, Security + SME
• John Biasi
• Peter Clark, CISSP

If you have not yet joined the conversation in the Security Catalyst Community, please do so now: http://community.securitycatalyst.com/forums/index.php

The specific link for this discussion is here: http://community.securitycatalyst.com/forums/index.php/topic,335.0.html
(note: joining the community costs nothing – except your active participation!; we enforce a naming standard of using your full name. It helps us keep the supportive environment positive. We look forward to sharing ideas and learning with you.)

Links and Information Mentioned During the Program

Least Privilege

In computer science and other fields the principle of minimal privilege, also known as the principle of least privilege or just least privilege, requires that in a particular abstraction layer of a computing environment every module (such as a process, a user or a program on the basis of the layer we are considering) must be able to access only such information and resources that are necessary to its legitimate purpose.
Source: Wikipedia: http://en.wikipedia.org/wiki/Principle_of_least_privilege

Determine the current status of a user account

Two basic options in windows XP
Windows XP: Option 1
• Start -> Run -> CMD (bring up a command prompt)
• type ipconfig /renew (this will be in the show notes)
• Limited Users will be given an error that access is denied.  Administrators will be allowed to renew their IP address.

Windows XP: Option 2
• Start –> Control Panel
• Launch the User Accounts application

If you are  a Limited User you will be presented with the option to Change your picture or to click on Mail or User Accounts.  • You are limited to changing your own password
• changing your picture
• or to set up your account to use a .NET Passport.

If you are an Administrator you will be given the option to Change an account, create a new account or change the way users log on or off.

For more ways, join the discussion in the catalyst community forums: http://community.securitycatalyst.com/forums/index.php/topic,335.0.html

Mac OSX
• System Preferences –> Accounts
• Right under the name it tells you the kind of account they have

Create a non-admin account

Mac OSX
• System Preferences –> Accounts
• Check that the lock is unlocked; if not, click it and enter your password
• click on the + sign
• Enter in the information, including a password
• DO NOT check (make sure you leave blank) the box for ‘Allow user to administer this computer’

Windows, pre-vista
• Start -> control panel
• Select ‘User Accounts’
• Select ‘Create a new account’
• Type in the name of the new user account
• Select the ‘Next >’ button
• Select the ‘Limited’ radio button
• select the ‘Create Account’ button

you’re not done! Time to select a good password
(We will go into details on good passwords in the future)
• You will be presented with a ‘User Accounts’ screen, with a ‘Pick a task’ option.  Select ‘Change an account’ option
• Select the account you just created
• On the next screen ‘What do you want to change about Child 1′s account?’ select ‘Create a password’
• Then enter a strong password, in the first two boxes, enter a password hint in the Third box.  Then press the ‘Create Password’ button’

Support the efforts of The Traveling Catalyst!
RV Tour (our pre-tour warmup for the Security Revival Tour)

• Nashville (April 24 – 25)
• Atlanta (April 26 – May 3 or 4)
• Key West (May 3 or 4 until May • Baltimore/Washington/Northern Virginia (May 10 – May 18)

We’re working now to set up some public sessions of
• Are You Making a Living or a Life?
• Career Compass Coaching
• Speaking About Security

We’re also interested in offering some public keynotes in each of the areas to support the efforts of security professionals. Send me an email if you’re interested (securitycatalyst@gmail.com)

We are in the process of selecting cities for our ”security revival tour” for the second half of 2007. If you would like us to bring our training to your city, send me an email: securitycatalyst@gmail.com

Thanks for listening – now go make your user account changes and be safe out there!

I feel like we’ve been building to this for a while now… Here is the first episode of the Family Security Series podcast. This episode focuses on operating system and application patching. The goal is to explain the basic approach, some configurations and then provide links and details, as available. I invite you to not only listen, but to share this podcast with others – especially those that you think would benefit from it.

We have also decided to include at least monthly programming designed to help consumers; this helps you with your awareness efforts.

I want to thank the advisory committee for their help. This episode is better because of:
- Andrew Hay | Founder and CEO of Koteas Corporation
- Peter Clark
- Alvin Liau, CISSP
- John Biasi

Basic Overview Sites (some of this material will be covered in future episodes)
Microsoft Security Site for Home Users
Apple Security Site (good starting point)

Links for Microsoft (Operating System)
Windows Update

If you need/want an alternative: AutoPatcher

Links for Apple/Mac (Operating System)
Mac OS X: Updating your software
Application Update Links

For Microsoft Applications:
Use System Restore to Undo Changes if Problems Occur
Product updates, free trials, and third-party downloads (there is a button on the right hand side to allow you to check for updates)

Other Updates we mentioned:

Download the latest version of Adobe Reader
Firefox (browser)
Thunderbird (email client)
Real Player

(if you have others – send them to me at securitycatalyst@gmail.com and I will include them in our Family Security Resources Section)

Episode Lineup:
Episode 1: OS and Application Patching
Episode 2: non-admin user
Episode 3: Anti-Virus, Anti-Spyware and other needed protections
Episode 4: Firewalls
Episode 5: Backup
Episode 6: Wireless Securiy Basics
Episode 7: Professionals Best Practices

Come discuss this and other ways to help protect information in the Security Catalyst Community.

If this helped you, please invite two friends to listen.

Welcome to a new programming aspect of the Security Catalyst experience: our Q&A podcast. After recording this weekend, we made the decision to run this today and push the Family Security Series back a few days (the team engaged in advising me has really brought on a lot of value and I am looking forward to getting that program started).

So, what can you expect from this program?
- Our goal is to review questions and answer them monthly
- We will answer questions sent in by readers and listeners, across three basic types:

- career
- consumer
- business

- Depending on each show, we may not cover each segment (or we might be covering one topic across all three). We’ll see how it goes.
- We are also taking the time for each program to research the questions a bit, and then are combining our experience, opinions and research to provide what we hope to be useful and helpful information.
- Each show will list links (which you’ll see below).

Here is our disclaimer
This is our best effort. To really benefit from this experience, we invite you to get engaged in the process:
- if you see something we missed, join us in the discussion forum and chime in
- use our experience as a guide for your own decision making
- if you need more help, join the security catalyst community (note the naming convention of: Firstname.Lastname)

On this Episode (three questions)

1. “I was curious if you are aware of any resources for security study and job-seeking, as I’m entirely self-taught. At this point I scan the logs and read whatever I can on the web and industry rags. I do Windows but prefer linux for its stability – most of my tools are on the linux box. Pisses off my boss to no end Not bad for self-taught, but it’s time for a large pay raise” – Jeff

Links from our answer:
NSA as Centers of Academic Excellence in Information Assurance Education (CAEIAE) http://www.nsa.gov/ia/academia/caeiae.cfm
http://www.cnss.gov/full-index.html

A list of all CAEIAE insitutions and the areas they have certified in is available here http://www.nsa.gov/ia/academia/iacmap.cfm

CISA – www.isaca.org/cisa/
CISM – www.isaca.org/cism/
CISSP – www.isc2.org/
SANS – www.giac.org/certifications/roadmap.php
Norwich – http://www.msia.norwich.edu/insecure/

Join the discussion in the Security Catalyst Community:

http://community.securitycatalyst.com/forums/index.php/topic,95.0.html
and
http://community.securitycatalyst.com/forums/index.php/topic,116.0.html

2. “I’m looking for some topic ideas relating to some awareness initiatives here where I work. I know you’ve been asking for feedback on topics, and I was wondering if you’d share any of your findings.” – Jim

Special Offer: If you send me an email at securitycatalyst@gmail.com – I will work with you to survey your audience and provide the results to you to help you kick-start your awareness program. While I welcome the opportunity to explain some of our research, there are no strings attached. This is what I do for a living, and if it helps get our much needed awareness efforts kick-started, then I’ll contribute this to the industry.

Links:
Come discuss this with us in the forum:
http://community.securitycatalyst.com/forums/index.php/topic,41.0.html

Some other ideas for topics:
NIST 800-69, Guidance for Securing XP Home: http://csrc.nist.gov/itsec/guidance_WinXP_Home.html (** this is what we are using for the first 5 episodes of the FSS Podcast)
CERT Home User Security: http://www.cert.org/homeusers/HomeComputerSecurity/

3. “I have been researching antivirus software for too long and just keep going in circles. I cannot distinguish between different antivirus software vendors because of either their marketing hype, inconsistent reviews, FUD, etc. Is there really a quantifibable difference or is it just opinions? What are your thoughts on this and could you provide an antivirus suggestion? At this moment I am leaning more towards either Zone Alarm Security Suite, or Kerio and NOD32.” – Eric

Links
If you are looking for more information on how specific AV software did in testing, check out
- AV Test (www.av-test.org), independent testing lab in Germany
- CheckVir (www.checkvir.com), independent testing lab in Hungary
- ICSA Labs (www.icsalabs.com), one of the first organizations to start testing the claims of AV vendors, now part of Cybertrust (www.cybertrust.com)

For those adventurous types that are looking to run a few in house tests, here are some resources that might help
- The European Expert Group for IT-Security (www.eicar.org), Look for the “Anti-Malware Testfile” link on the main page

Free AV resources
- AVG Free – http://free.grisoft.com/doc/1
- Avira AntiVir Personal Edition – http://www.free-av.com/antivirus/allinonen.html
- ClamWim – http://www.clamwin.com/
- TrendMirco Free Online Virus Scanner – http://housecall.trendmicro.com/

Subscription AV resources
- CA eTurst Antivirus – http://www3.ca.com/solutions/Product.aspx?ID=156
- Symantec (number of different products for home/small to mid business/enterprise) – http://www.symantec.com/index.htm
- McAfee (same as symantec, differen products for different sectors) – http://www.mcafee.com/us/
- NOD32 – http://www.eset.com/
- Sophos (for businesses) – http://www.sophos.com/

Additional reviews
- AV Test – http://www.av-test.org
- CheckVir – http://www.checkvir.com
- ICSA Labs – http://www.icsalabs.com

I know, I know… all work and no play. I can tell when I’ve been away from podcasting for a few days (okay, weeks) when I start getting polite emails and nudges… well, here is a quick audio update for you.

If you’ve been following this site for a while, you may recall that I took some time at the turn of the year to think and plan how to be more effective in my business, as a blogger and as a podcaster. As a result of that planning (and my quest to regain some harmony in my life), we dedicated the entire month of January, and now some of February to documenting our approach, value and explaining our focus: to create, design and deliver exceptional experiences that help transform how organizations think about and protect information.

As a result, I am excited. I am healthy. And I am ready to get back behind the mic. Of course, I need to make sure that we keep my team healthy, active and busy… but as that is coming more clearly into focus, I’ll have more time to get back to active podcasting.

In this update:
The 5 Steps to protecting your computer
Here are the five basic steps that anyone with a computer should be following
1. Update your operating system and applications
2. Use a non-admin account for general use
3. Install, configure and use anti-virus, anti-spyware and other malware protections
4. Install, configure and use a firewall
5. Backup, backup, backup

Each of the next five episodes will cover each of those steps, exploring the how and why in a way that we can share with technical and non-technical people alike. Then we’ll produce two additional programs to cover basic wireless configuration and some additional tips from the pros.

Our Awareness Experiences and Efforts
In this update, I briefly mentioned that I am focusing on providing two exceptional experiences and a new way to handle security awareness

Speaking about Security
This two-day intensive experience is designed to explore the power of the narrative and teach professionals how to communicate about security concepts more effectively. Currently available as private classes; we are looking into holding some public courses.

Avoiding the Breach
Based on the research and prescription for success from my upcoming book, this two-day experience is an entertaining and proven approach to transforming how technical and non-technical people in your organization think about and protect information. Currently available as private classes; we are looking into holding some public courses.

Security Awareness Transformation
This is an exciting offering where we are combining the power of social media with our proven ability to connect with users with strategies to better protect themselves and their information (as well as yours).

For each of these, I will be sharing key concepts, lessons and strategies over the coming year. I’m interested in taking an approach of sharing the information so we all benefit, and then working with companies that are interested in being supported through their transformation. If you want some information in the meantime, shoot me an email. I’m excited about these areas and always interested to share some energy, passion and insight.

I’m currently looking for five (5) companies to work with me on each of these experiences to help validate some changes and approaches. If you are interested, please contact me and we can talk about some incentives I am currently offering to those interested in making an impact in 2007 – securitycatalyst@gmail.com

My approach to podcasting for 2007
We will share our research, knowledge, insights and work to provide you with insights, information, facts and templates to be more effective. I’ve also already announced some new programming we’re starting this year… but don’t worry, I’ll continue, when possible, to release some shorter podcasts that capture my thinking, my passion and help to get it out.

If you want to help: securitycatalyst@gmail.com

More to come soon…

Did you know about the changes in Daylight Savings Time for 2007? Have you already assessed the plan you and your company will use to reduce friction? For the first Security Catalyst podcast of 2007, I decided to push the (Teach Your) Family Security Series back a week in order to shed some light on the changes that the shift in Daylight Savings Time (DST) will see in 2007.

During this episode, we explore:
The improvements planned for 2007, which include
* More programming and a focus on series (Family Security, Hard Drive Encryption, etc.)
* The change to a more consultative approach — so you can work smarter, not harder
* The introduction of the monthly Security Q&A with Adam Dodge
* The introduction of the monthly Privacy Stratgies with John Sileo
* The launch of the Catalyst Community Forums http://community.securitycatalyst.com/forums/index.php

Note: please come and join us in the forums, but please register using the convention firstname.lastname and include your full name in your signature. Thanks!

Daylight Savings Time 2007

Now takes effect three weeks earlier, on Sunday March 11, 2007
Ends one week later, Sunday November 4, 2007

Some useful links to help you get started in your preparation. More will be maintained in the Catalyst Community Forum Topic (along with my outline for a basic action plan):

Community Forum Topic: http://community.securitycatalyst.com/forums/index.php/topic,32.0.html

Our initial heads up:
http://www.securitycatalyst.com/2006/12/04/dst2007-%e2%80%93-springing-ahead-of-time/ (hat tip to Ron Woerner for being ahead of the curve)

The CISCO briefings on the events in Oz:

Daylight Savings Time Impact on Cisco Security MARS in Australia
http://www.cisco.com/en/US/products/ps6241/products_tech_note09186a0080626184.shtml

Australian 2006 Daylight Saving Impact on Data Center/GSS and Branch Office Application Products
http://www.cisco.com/en/US/products/hw/contnetw/ps4162/products_tech_note09186a0080626ac6.shtml

Vendors (start your search here):
Microsoft: http://www.microsoft.com/windows/timezone/dst2007.mspx

Cisco: http://www.cisco.com/en/US/products/sw/custcosw/ps1973/products_field_notice09186a008076fca2.shtml

SUN (Java Runtime Environment): http://java.sun.com/developer/technicalArticles/Intl/USDST_Faq.html

Oracle: http://blogs.oracle.com/schan/2006/12/26

IBM:
http://www-1.ibm.com/support/docview.wss?rs=2004&context=SSVHZU&dc=D600&uid=swg21248273&loc=en_US&cs=UTF-8&lang=en

If you liked this program, please take a moment to subscribe and invite two friends to subscribe, too. We can all make 2007 a year where we think about and practice security more effectively!

On this last day of 2006, it seemed fitting to (finally) post the conclusion to the voting security series (it was delayed due to an ear infection and my lack of desire to finalize the recording). Now, from sunny Key West, I wanted to make sure we ended the year strong.

No end of year reflections, but in looking at the lessons learned, I realized that voting security and security in general have a lot more in common that we may realize at first glance. The good news, then, is that in 2007 we can continue to improve the way we practice security… and we may also be able to help improve the way our electronic voting systems work.

When listening to this interview, it may make sense to check out some of the diagrams and pictures from the punch scan website: www.punchscan.org

I really am impressed not only by the solution punch scan proposes, but by the energy and dedication of the punch scan team. I hope this solution is tested in 2007 and starts to gain more momentum. I plan to keep in touch with punch scan and support them as they continue to move forward.

I’m going to ring in the New Year wearing shorts and hanging out on the docks… and then I’ll be using some of the time here to think about and plan for the upcoming year. Expect more programming and more features designed to help you improve the way you explain and practice security in 2007. And expect to see the launch of the catalyst community (to support your efforts) as well as some additional programming, features and a book!

Yup, 2007 promises to be an exciting year for us all!

Thanks for your continued support, ideas, suggestions and passion. Especially your passion.

Now that the elections are over, I figured it was a good time to step up the programming of the podcast by introducing some mini-series. I think mini-series will provide us the opportunity to pick topics that matter and dive a bit deeper. At least, we’re going to give it a try… feedback welcomed.

To kick it off, I figured we could start by looking at the security around electronic voting. Yea, I know, the elections are over. To me, that makes for perfect timing. Less stress right now, and a good time for our profession to think about how we can help to improve the process.

Here are some links as mentioned in the podcast:

Google Video

Hacking Democracy (http://www.hbo.com/docs/programs/hackingdemocracy/?ntrack_para1=leftnav_category7_show1)
HRM! It seems to have been removed from Google Video. Well, it’s still being aired on HBO – so hopefully you will get a chance to see a copy. It’s worth the watch!
Site to See

Securosis (http://www.securosis.com/)
Rich Mogul’s Bio (http://securosis.com/about/)

Voting Stories and Links

E-voting 2006: A touch screen, a missing vote, a mystery in Arkansas (http://www.computerworld.com/action/article.do?command=viewArticleBasic&articleId=9005063&source=rss_topic84)

Questions we can help answer? Stories you want me to explore? Cheers or Jeers? send me an email: securitycatalyst@gmail.com.

In this episode, we explore how we can effectively partner with the FBI to share information in the form of a CONVERSATION where everyone who participates gains. I lay out three steps that I think we should discuss to improve this process. I look forward to your feedback.

Sites to See

http://www.changethis.com/

Some of the recent manifestos that I have read and enjoyed:

http://www.changethis.com/19.CreativeGeneralist

Actually, there are many on the list, and while reviewing the site again today, I downloaded and printed a few off. Many good things here to read and consider. Heck, we should consider submitting Security 2.0. Anyone want to write with me?
News Articles About the FBI Announcement

Cybercrime High On FBI Priority List; Help Wanted

FBI: Companies Need to Report Cyber Attacks

As you know, I am a strong supporter of the FBI and have suggested three ways that we all need to work together to make a difference.

1- We need to bring together academic, private and public sectors and begin a real dialogue about how to measure the effectiveness of security. We have enough brain power and models available. The time has come to advance real solutions. When we have a better model, we can work to share more information.

2- We need a taxonomy. We need an “open-source” style taxonomy that covers the breadth and depth of knowledge and experiences that we would need to cover. As we launch the community, I hope to advance this. I look forward to your help.

3 -We need a way to mutually share information. I listed out a variety of ways and will be testing one in my local infragard in the coming months. Stay tuned!

Updated Note: The episode doesn’t seem to be including in the feed. I’m trying to figure out why and should have it fixed tonight or tomorrow morning.

Join us for our fifth exciting episode of the Security Round Table. Our special guest (and now newest member) is Dan York from: Blue Box: The VoIP Security Podcast. In this episode, we look at the general overview of VoIP technologies and the security risks – as well as the myths.

Dan is a true expert and instructor on this topic – and school was definitely in for the SRT team!

Joining in on this episode:

Paul Asadorian | Pauldotcom Security Weekly
Martin McKeay | Network Security Podcast
Larry Pesce | Pauldotcom Security Weekly
Michael Santarcangelo | The Security Catalyst
Alan Shimel | SSAATY (Still Secure After All These Years)
Dan York | Blue Box: The VoIP Security Podcast

**Note – soon I you will only be able to get this podcast by subscribing to the SRT podcast ***

Welcome back! Yeah, I know, that’s better said to me than by me. The complications of travel, life and podcasting have conspired against me, but not dimished my passion, the expansion of the blog or the re-creation of the catalyst community.

In this episode, I introduce a new segment: “sites to see” and start pointing out security and security 2.0 websites to use.

This weeks Site to See

Microsoft Security Advisories
http://www.microsoft.com/technet/security/advisory/default.mspx

You can learn why I think it’s worth checking out by listening to the podcast. If you have a suggestion for future sites to see (your own or something you think is valuable), send me your idea (and get credit) by email: securitycatalyst@gmail.com.
Special Report
Did Two Factor Really Fail?

The short answer is: no – listen to learn what could have been done differently and why you should care!

Special Offer
I am offering a substantial discount to the first few people who want to improve the way their company addresses compliance and security (while making themselves look like rockstars) as I am about to unveil Effective Assurance. Listen to the podcast for details – or send me an email at michael.assurance@baldsecurityexpert.com — I look forward to sharing my passion with you and helping you improve compliance through security without wasting another dollar!

**** 17 Days and the Catalyst Community is OPEN!! ****

How many times have you wondered what you would do if you find out your company wasn’t protecting information as they promised? What if you were a consultant or contractor?

Is there a right way to report on privacy and security breaches?

Join the Security Round Table with Special Guest Randal Schwartz to discuss this important issue.

On this episode:

Larry Pesce | Pauldotcom Security Weekly | Haxor the Matrix
Martin McKeay | Network Security Blog & Podcast
Michael Santarcangelo | The Security Catalyst
Randal Schwartz | Stonehenge | Legal Information: Friends of Randal Schwartz

Note: we did reach some interesting conclusions and directions for future advancement. Continue the discussion at the Security Catalyst Community (currently open to trusted catalysts until October 15, 2006 when it becomes available to the entire community).

]]>